o 


After  a  data  breach,  navigating  the  tangle 
of  state  notification  laws  can  be  exasperating  and  costly. 


CUMPUTERWORLD 


ETHICS  IN  IT: 

1  )ark  socivts,  iiLiK  truths  —  and  little  jaiiidancc. 
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IN  THE  WORLD  OF  OFFICE  COLOR, 
SPEED  AND  DUALITY  SHOULDN'T  BE  LIMITED. 
EVEN  IF  MY  BUDGET  IS. 


THE  CANON  COLOR  IMAGERUNNER 
PRODUCE.  PERSUADE.  PERFORM.  ON  PAPER. 


1-800-OK-CANON 


magcANYWARE 


Goldfish  have  a  memory  span  of  3  seconds. 


They  can’t  even  see  the  past,  much  less  the  future. 

But  you  can.  With  proven  business  intelligence  and  analytic  software  from  SAS. 


wvvw.sas.com/goldfish 


■  NEWS  DIGEST 

ttStoragemedialostbylftinMoun- 

dala  on  Louisiana  resideiits.  I  Banks 
dain  that  94  mHoii  credit  cards 
Imre  compromised  in  the  TJX 
braadi,  double  earlier  estimates. 


into  fraudulent  bank  accounts.  I  The 
U.S.  Defense  and  Veterans  Aff^ 
departments  sti  canT  fully  dim 


Inside 
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■  DEPARmEIITS 

29  On  the  Information 
inteorlty  is  prob^  your  CFO's  top 


29The0ril:0ndyBoaeli.lBM 

Ratkmars ‘free  ladkaL’ fairs  about 
the  endurinp  (Ithculties  oi  software 


13  Future  Mobile  Technologies 
That  Will  Change  Your  Life 

Thasa  dtoupliva  tschnolagies  wW  change  how  you  work,  plw 
and  eoniinunjcata  whan  you're  inoMla.  Marry  beliava  it's  not  a 
matter  of ‘IT  they  will  happen,  but 'Wirhan.''  _ 


Geek  Stars:  The  Secret 


(Nerdy)  Lives  of  Celebrities 

Who  says  a  the  big  stars  are  brainless?  We've  dug  up 
more  than  40  celebrities  with  soma  serious  sdance 
and  technology  chops.  Prepare  to  be  surprised. 
cofflputerwDr1d.con)/caraars 


A  Standard  That  Leaves  b 
Out  the  Good  Stuff? 

The  storage  Managaniant  Initialiva  Specification  was  created  to 


alow  bitaroperabillty  among  hardware  through  a  sbtgla  pane  of 
glass.  But  users  and  others  say  the  standard  fails  far  short  be¬ 
cause  the  most  important  APIs  have  been  left  out. 


Opinion:  The  Best  Privacy 
Advisers  in  2007 


Google  Wants  to 
Own  Your  Library 

Boogie  wants  to  make  the  workTs  Hirarles  available  ordbie 
-  exclusively  via  its  own  Web  site.  Nothing  doing,  say  library 


Protectang  Against 
The  *D’oh!’  Factor 

Security  managers  can  protect  their  companies  against  hackers, 
spammers,  viruses  and  spyware.  But  who  protects  a  company 
against  its  own  employees' ignorance?  Jaikumar  Vijayan  blogs 
about  how  this  vubierabaty  affected  grocery  chain  Supervalu. 


^  ■ 


his  notebook  may 
crash,  but  his 
drive  won’t. 


solid  state  reliability 

Introducing  the  new  Samsung  Flash  Solid  St 
No  moving  parts,  except  some  hardworking 
between  failures  (MTBF)  six  times  longer  tha 
unlimited  shock  resistance.  And  power  use  t 
up  to  20%.  With  a  Samsung  SSO  inside  youi 
always  there  when  you  need  it. 

www.samsungssd.com 


t  a  hard  drive.  Virtually  . 
iat  extends  battery  life 
notebook,  your  data  is 


Donlainant 

Keeping  Our  Wits 


TWO  WEEKS  in  a  column  titled  “Under  the 
Covers,”  I  provided  a  behind-the-scenes  look  at 
some  of  the  issues  we  face  in  monitoring  reader 
comments  on  our  Web  site  and  the  tough  decisions 
our  editors  sometimes  have  to  make  on  whether  a  comment 
should  be  removed. 


The  case  I  cited  involvei 
the  removal  of  two  reader 
comments  in  response  to 
“Data  Centers  Get  Reli¬ 
gion,”  a  story  about  unusu 
al  locations  for  data  cen¬ 
ters,  including  buildings 
that  were  formerly  places 
of  worship.  1  explained 


>lved  readers  have  replied  via  censorship  of  the  natural 

ider  e-mail.  Thirteen  said  we  language  of  [those]  who 

!  to  got  it  right,  10  said  we  got  it  ...  oppose  this  discard- 

i-  wrong,  and  three  addressed  ing  of  historical  ties  with 

usu-  the  issue  without  express-  formerly  Christian  institu- 

n-  ing  a  view  either  way.  tions.  Religious  people  use 

gs  The  exercise  demon-  religious  b 


around  us  in  any  way  that 
we  can. ...  Everyone  else 
gets  to  share  their  view 
except  people  of  faith. . . . 
Make  you  a  deal;  You  stop 
invoking  religion  in  any  of 
your  articles,  and  we  will 
stop  responding  to  clarify 
or  correct  what  is  being  in¬ 
accurately  conveyed  about 
a  very  personal  issue.” 

My  question  to  this 
reader  is  a  simple  one: 
When  you  say  “we,”  to 
whom  are  you  referring? 
All  Christians?  All  people 
of  faith?  Then  explain  this 
response; 

“As  a  bivocational  pas¬ 
tor,  I  work  a  full-time  job 
in  the  IT  industry,  as  well 


We're  secure.  We're  compliant. 
Now  we're  busting  out  the 


Congratulations.  Your  IT  security  is  working  hard.  But  there's  something  more  it  should  do  (besides  the  protection,  compliance, 
access,  etc.).  IT  security  should  actually  make  your  business  more  efficient.  More  flexible.  More  competitive.  CA  can  help.  Our 
Security  Management  centralizes  your  identity  and  access  management  to  turn  IT  security  into  a  proactive,  business-building 
tool.  So  your  security  strengthens  customer  relationships,  grows  partnerships  and  helps  your  enterprise  address  changing 
markets  with  ninja-like  agility.  All  with  CA's  best-in-class  modularity,  scalability  and  integration.  But  don't  just  take  our  acronym 
for  it.  Download  the  white  paper,  "Security  Management:  Aligning  Security  with  Business  Opportunities,"  at  ca.coin/secure. 


■  Transforming 

IT  Management 


E-maMIsHeretoStay 

Since  the  subject  of  the  article 
“To  Improve  IT.  Consider  Ditch¬ 
ing  E-mail”  fComputenvorld.com, 
Oct.  9]  is  a  CIO  at  a  government 
y,  whether  she  succeeds  or 


CIOs  Need  Many  SkHls 

Since  IT  has  become  a  mission- 
critical  support  service  that  spans 
all  departments  in  the  enterprise, 
a  business  viewpoint  for  how  all 
these  systems  interrelate  with  each 
other  is  essential  to  a  CIO's  skill  set 
[The  Future  CIO  May  Be  a  Non¬ 
geek,”  Computerworld.com,  Oct.  8]. 

A  solid  understanding  of  the 
company’s  business  model  and 
operations  helps  when  allocating 
IT  resources  in  alignment  with  the 
organization's  strategy  and  initia¬ 
tives.  There  are  also  opportunities 
to  identify  and  create  business 
value  throtigh  leveraging  the  infor¬ 
mation  from  multiple  systems  that 


the  globe.  Few  organizations  have 
the  luxury  of  face-to-face  meetings 
anymore. 

■  Marti  C.  Edwards,  chief  scientist. 
Chubbuck,  Idaho 

Expecting  Downtime 

The  most  important  thing  about 
uptime  was  buried  in  the  story  “Six 
Objections  to  Microsoft  Office  Com¬ 
munications  Server”  (Computer- 
workLcom,  Oct  16]:  that  Lionbridge 
Technologies  has  had  99.88%  sched¬ 
uled  uptime.  That  buries  the  reboots 
required  for  patching  and  other 
chores  that  eat  into  any  Microsoft 
system’s  uptime.  When  you  only 
talk  about  “scheduled”  uptime,  you 
make  that  issue  go  away  —  on  paper. 

■  Lada  McNair.  DBA/EKP 


State  Data  Loss  Renews 
on  Encryption 

crypted  storage  ecutive  director  and  chief 

media  from  an  Iron  operating  officer  of  the  agen- 


The  backup  tapes,  later 
recovered,  fell  off  a  convey¬ 
or  belt  and  became  lost  in 
a  shipping  facility  of  an  un¬ 
disclosed  contractor.  Those 
tapes  contained  personal 
data  on  200,000  Ameritrade 
clients. 


protect  data  stored  off-site. 

The  Louisiana  Office 
of  Student  Financial  As¬ 
sistance  (LOSFA)  said  the 
unencrypted  data  lost  from 
an  Iron  Mountain  vehicle  on 


disk  drives.  However,  she 
acknowledged  that  "if  you 
trust  your  data  to  a  courier, 
then  obviously  something 
like  this  can  happen." 

According  to  Boutte,  the 


point  forward,  we  encrypted 
[all  data]  and  have  taken 
that  extra  level  of  protee- 
tion,”  the  spokesman  said. 

Brian  Babineau,  an 
analyst  at  Enterprise  Strat- 
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Xeon 


0 


Quad-core. 

Unmatched. 


CAREFUL,  DON'T  TRIP  OVER 

THE  INFRASTRUCTURE. 


Strength  and  power,  now  in  o  smaller,  more  convenient 
size.  Introducing  the  HP  BlodeSystem  c3000.  All  the 
technology  of  our  larger  BlodeSystem  in  on  efficient, 
compact,  affordable  package.  Careful,  watch  your  step. 

Technology  for  better  business  outcomes. 


Powered  by  the  Quad-Core  Intel 


Xeon  Processor 
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Phishers  Nearly  PuH  Off 
$10M  Scam  of  Grocer 


JUST  LIKE  unwary 
individuals,  large 
corporations  can 

ered  by  devious  iddshers 
into  parting  with  money. 

For  example,  grocery 
chain  SupeiWu  Inc.  earlier 
this  year  was  conned  into 

$10  million  into  two  fhnidu- 
lent  bank  accounts  before  it 
discovered  the  ruse. 

Details  of  the  incident 


filed  in  federal  court  in 
Idaho  in  connection  with ; 
case  seeking 
determine  ov 
ershipofthe 

In  the  fil¬ 
ing,  Stephen 
KilgroCvice 
president  of 
legal  affairs  at 
Eden  Prairie, 

MiniL-based  Supervalu,  said 
the  fraud  took  {dace  in  late 
February  and  early  March. 

On  Feb.  26  and  28,  he  said, 
the  company  received  two 
fraudulent  e-mails  —  one 
purporting  to  be  fi»m  an 


Both  of  those 
firms  are  approved 
Supervalu  suppliers, ; 
cording  to  the  filing. 

Both  fraudulent  e-mails 
sought  to  get  Supervalu  to 
send  future  payments  to  new 
bank  accounts. 

Between 
Feb.  28  and 
Marchs, 
Kilgroff's  filing 


transfers  to  an 
HSBC  Holdings  PLC  account 
listed  in  the  fake  American 


And  on  March  2,  Stq>er- 
valu  said  it  made  eight  sepa¬ 
rate  wire  transfers  totaling 
$3.6  milUon  to  First  Security 


Around  March  6, 
according  to  the  fil- 
'  ings,  Siqjervahi  deter- 
'  mined  that  it  had  been 
“induced"  into  depositing 
money  into  bogus  accounts, 
and  quickly  notified  federal 
law  enfincement,  which  then 
recovered  most  of  the  money 
before  it  could  be  withdrawn 
by  the  scammers. 

In  an  e-mail,  a  spokes- 
vroman  for  Supervalu  ac¬ 
knowledged  the  fraud  but 
noted  that  “due  to  our  inter¬ 
nal  controls  and  processes, 
we  were  able  to  quickly  dis¬ 
cover  and  report  this  to  the 
FBI.  As  a  result  of  the  quick 
work  of  the  Boise  FBI  office 
and  the  US.  Attorney,  any 
funds  lost  are  minimal." 

The  company  declined 
further  on  the 


— Jaikuntar  Vijayan 


DOD,  VA  Not  Fully  Engaged  on  E-health 


WASHINGTON  -  After  nine 
Ilf  wo'k  the  U  S  Deparl- 
ii.-iir  f  Defense  and  Ihe  U  S.  Dt- 
(, -fi.M-ntol  Veterans  Affairs  Ilf 


-nd  emergency  room  reports.  But 
tney  won't  be  able  tn  exchange  m 
tnrnialion  such  as  the  vital  s  u;;:- 


laboralory  data  and  family  his 
of  patients  until  sornetim!.- 
r.i:xt  year,  said  Or  Gerald  Cro" . 


standardization  of  data,"  Cross 
fold  the  oversight  subcommit- 
te.-of  the  U.S  House  Commit 
Ire  on  Veterans’  Affairs 
Vdlerit  Mi'ivin  a  dirtTior  at  Ph 
U.S.  GovernrnenI  Accountabiiily 
Ofhee.  said  that  the  GAO  has  yei 


.-Ml  dotl  that  the  DODar- 
VA  still  have  '  significant  work” 

10  do  on  the  proiect 
But  agency  officials  ex¬ 
pressed  optimism,  saying  that 
they  expect  to  be  able  to  share 
all  of  the.r  e  health  data  within 
thf  riPKt  12  months. 

"We  are  all  working  toward 
ihi  same  end  "said  Dr  Ste- 

J'.iu  s  thf  DOD’s  principal 


Rockies  to 
Shower  on 
Ticket  Sales 

AN  ONLINE  SALE  of  World 
SoriO'.  lickets  h>'  tho  Colo¬ 
rado  Rockies  got  an  early 


Shaw  Taylor,  marketing 
director  at  Paciirlan  Inc., 
said  the  Irvine.  Calif.-based 
ticketing  company’s  systems 
c.sperienced  "an  outage” 
that  began  about  10  minutes 
after  tickets  went  on  sale  for 
the  Rockies'  home  games 
against  the  Boston  Red  Sox 
at  Coors  Field  in  Denver. 

Only  about  5(KI  tickets 
were  sold  for  the  games  be¬ 
fore  the  servers  were  taken 
oltiine.  aecording  to  Taylor. 
He  said  the  outage  lasted  for 


include  about  550  sports 
teams,  museums  and  per¬ 
forming  arts  centers, 
Paciolan  CF.O  Dave  Butler 
.said  later  in  the  week  that 
the  company  had  never  been 
forced  to  shut  down  a  sale 
before.  But.  he  explained. 

of  denial-of-service  attacks 
that  the  company’s  Cisco 
firewalls  couldn’t  block.  Pa¬ 
ciolan  decided  to  unplug  the 
systems  and  add  new  fillers 


MySQL  AB  confirmed  that  it 
plans  to  include  code  devel¬ 
oped  by  Google  Inc.  in  future 
ns  of  its  open-source 
ise.  Google  uses 


ONE  YEAR  AGO:  Online  bro¬ 
kerages  ETrade  Financial 
Corp.  and  TO  Amerilrade 
Holding  Corp.  disclosed 
that  overseas  hackers  had 
broken  into  some  customer 
accounts,  resulting  in  losses 
of  at  least  S22  million 


EC  Ruling  Ends 
Microsoft  Appeal 

BRUSSELS  -  Microsoft  Corp. 
last  week  dropped  its  out¬ 
standing  appeals  of  European 
antitrust  rulings  after  the  Euro¬ 
pean  Commission  announced 
that  the  company  is  now  in 
compTiance  with  the  EC's 
2004  ruling. 

Microsoft  last  year  had 
appealed  a  €280.5  million 
($402  million  U.S.)  fine  im¬ 
posed  by  the  EC  for  failing  to 
provide  interoperability  proto¬ 
cols  to  rivals,  as  reguired  in  the 
commission's  2004  antitrust 
ruling.  The  company  had  also 
appealed  the  EC's  demand  that 
it  make  the  protocols  available 
to  software  developers. 

Erich  Andersen.  European 
general  counsel  for  Microsoft, 
said  that  the  comoanv  will  now 


“focus  all  of  our  energies  on 
complying  with  our  legal  obli¬ 
gations  and  strengthening  our 
constructive  relationship  with 
the  European  Commission." 

Paul  Meller. 

IDG  News  Service 

HP  to  Buy  Mideast 
Systems  integrator 

MANAMA.  BAHRAIN - 
Hewlett-Packard  Co.  last  week 
agreed  to  acquire  systems 
integrator  Atos  Origin  Middle 
East,  based  here,  as  part  of  an 
effort  to  expand  its  services 
operation  in  the  region. 

HP  did  not  disclose  the 
terms  of  the  deal  for  privately 
held  Atos.  but  it  did  note  that 
the  Arm  is  not  related  to  Paris- 
based  Atos  Origin  SA.  another 
systems  integration  company. 

Atos  Origin  Middle  East  has 
450  employees  and  operates 
in  Saudi  Arabia.  Bahrain,  the 
United  Arab  Emirates,  Libya 
and  Qatar.  It  will  become  part  - 
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HThe  Internet  can't  hide  anymore. 

The  AT&T  LaptopConnect  Card  works  in  more 
places  worldwide  than  any  other  U.S.  carrier. 

$49.99 

^  With  2-year  wireless  '-crvice  agreement 

^  on  DataConnect  plans  S59.99  or  higher 


j  at&t 
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Microsoft  and 
Open-Source 
Backers  Eye  Each 
Other-W^ly 

Despite  new  overtures,  the  two  sides 
remain  ‘frenemies’ — sometimes 
friends,  sometimes  foes.  By  Eric  Lai 


1^ 


THERE’S  A  SCENE  in  the  2004 

movie  Mean  Girls  in  which  the 
most  popular  girl  in  the  film’s 
fictional  high  school  finds 
out  that  a  firiend  who  now  is  a 
fiut-rising  social  rival  plans  to  throw  a 
party  without  inviting  her. 

“Who  does  she  think  she  is?”  snifis 
the  suddenly  threatened  clique  leader 
—  or  “Queen  Bee,”  in  the  movie’s  paiv 


lance.  “I,  like,  ‘invented’  her,  you  know 
what  I  mean?” 

Take  away  the  Valley  Girl  lingo  and 
substitute  “open  source”  for  “she,”  and 
you  have  an  approximation  of  Microsoft 
Corp.  CEO  Steve  Ballmer’s  declaration 
almost  exactly  one  year  ago  that  Linux 
(playing  the  role  of  the  movie’s  “Wanna¬ 
be”)  “uses  our  intellectual  property.” 

Ballmer’s  statement  —  along  with 


follow-up  claims  by  Microsoft  execi 
tives  that  they  had  found  violations 
235  patents  in  Linux  and  other  open 
source  software  —  caused  a  sudden 
reftosting  of  what  had  been  a  slowl] 
thawing  relationship  between  the  o 
;>any  and  the  open-source  communi 

In  recent  years,  Microsoft,  vdrose 
combative  CEO  once  called  Linux  a 
“cancer”  from  an  intellectual  propei 
standpoint,  has  set  up  its  own  open- 
source  testing  lab,  b^un  hosting  o; 
source  projects  on  its  CodePiex  Wei 
site  and  signed  partnership  deals  wi 
various  open-source  vendors. 

But  by  dangling  the  threat  of  pate 
inftingement  lawsuits  over  the  head 
of  users  and  vendors  alike,  “Micros( 
opened  up  a  can  of  worms  with  the 
open-source  community  that  they  h 
been  attempting  to  close  since  then, 
said  Charies  King,  an  analyst  at  Pur 
ITInc.  in  Hayward,  Calif. 

So  wary  "frenemies”  the  two  side 


tionship 
both  directions  this  month. 

Microsoft  did  finally  get  an  invita¬ 
tion  of  sorts  to  the  open-source  party 
on  Oct.  10,  when  the  Open  Source 
Initiative  (OSD  approved  two  of  its 
software  licenses  as  a  valid  means  of 
distributing  open-source  technologies. 

The  company  also  continues  to  try 
to  ingratiate  itself  with  open-source 
backets.  At  the  Web  2.0  Summit  in  San 
Francisco,  Ballmer  vowed  to  “do  some 
buying  of  companies  that  are  built 
around  open-source  products.” 

And  last  Monday,  Microsoft  agreed 
z  to  give  developers  of  open-source 
“  workgroup  server  products  access  to 

>  Windows  interoperability  information 
2  and  to  slash  the  royalties  it  will  charge 

>  for  using  the  information  from  5.95% 

I  ofa  product’s  revenue  to  0.4%.  But  that 


to  finally  comply  with  a  2004  antitrust 
ruling  by  the  European  Commission. 

Microsoft  also  announced  a  collabo¬ 
ration  and  “intellectual  property  as¬ 
surance”  deal  with  llirbolinuz  Inc.  last 
week  —  the  latest  in  a  series  of  contro¬ 
versial  agreements  that  has  split  the 
Linux  camp  between  vendors  that  have 
agreed  to  terms  and  others  that  have 
said  they  aren’t  interested  in  doing  so. 

Nobo^  thinks  Microsoft  has  dis¬ 
continued  onpage20 
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placed  IBM  as  the  BFF  —  best  friend 

forever  —  of  open-source  vendors. 

King,  for  one,  remains  skeptical 
about  Microsoft’s  intentions.  The 
company  "is  endeavoring  to  be  frieni 
with  customers  that  are  purchasing 


and  using  Linux,”  he  said.  “However, 
Fm  not  sure  that  makes  them  a  friend 
of  Linux."  And,  he  noted.  Microsoft’s 
patent  claims  are  still  an  issue. 

But  Adam  Solesby,  chief  technology 
officer  at  StudioNow  Inc.,  a  Nashville- 
based  start-up  that  is  developing  a 
Web-based  video  editing  service  for 


■  IhesiMcterof 
MksnMoft  suIm  opsn* 
source  users  *»  not 
a  imKuC  uiraaL 

said  Adam  8ol%, 
CTOatStaNfioNow. 

1  think  vra'refairfy 
I  safe  from  that’ 


In  a  blog  posting  that  announced  the 
OSI’s  approval  of  Microsoft’s  so-called 
shared-source  licenses,  Michael  Tie- 
mann.  the  open-source  group’s  presi- 


and  the  company’s  ongoing  commit¬ 
ment  to  participation  in  the  open- 
source  community.”  Microsoft  said  Hilf 
was  on  vacation  and  unavailable  for  a 
follow-up  interview  last  week. 

"Microsoft  appears  to  have  accepted 
that  Linux  —  on  servers  and  devices 
at  least,  if  not  the  desktop  —  cannot 
be  completely  stopped,”  said  Daniel 
Egger,  CEO  of  consulting  firm  Open 
Souipe  Risk  Management  Inc. 

’lUrbolinux  is  the  seventh  Linux 
vendor  to  sign  a  licensing  deal  that 
includes  a  promise  by  Microsoft  not 


protect  your  company 

webroot 


1.866.865.3293 


Your  potential.  ( 

1/hcmsolt 


beating  the  mummy,  easy. 


1.  Know  your  hieroglyphs. 

The  ancient  hieroglyphs  speak  of  the  pharaoh's  return,  and  his  vicious  at 
on  a  midsize  enterprise  IT  department  How  it  all  turns  out  is  less  clear,  as 
hieroglyphs  got  chipped  and  are  hard  to  read.  Sorry. 


2.  Be  the  Mummy's  daddy. 

Ancient  Egyptian  royalty  was  dynastic,  meanini 
the  pharaoh's  firstborn  child  became  the  pharaoh.  , 

Disguise  yourself  as  an  older  Mummy,  tell  the 

Mummy  you're  his  grandfather,  and  he'll  be  ; ^  w 


bligated  to  do  your  bidding. 


3.  Make  a  torch. 

The  Mummy,  being  wrapped  in  dry  linen,  is  extremely  flammable.  Make 
a  torch  from  a  rolled-up  newspaper  and  swing  it  in  his  direction.  You'll  get 
his  attention  immediately  and  he'll  quickly  lurch  away. 


I 


4.  Summon  the  sun  god  Ra. 

Borrow  an  ancient  staff  or  a  magic  ankh.  Speak  the  magic  words  (almost  any 
will  do)  to  summon  the  mighty  power  of  the  sun  god  Ra,  and  stand  back, 
because  Ra  does  not  mess  around  once  summoned. 


Remember,  injas  day,  the  Mummy  was  a  king,  treated  like  a  god,  so  he’ 
a  sucker  for  attention  of  any  kind.  Make  a  big  deal  over  him,  hand  him  i 
trophy  (any  will  do,  as  long  as  it's  gold),  and  he'll  be  putty  in  your  hand: 


m 
r  # 

^  t 


6.  Unwind  him. 

The  Mummy  is  easy  to  unwind.  Sit  hin 

done,  he'll  be  completely  exposed. 


beating  hackers,  easier. 


1.  Implement  Microsoft' Eorefront." 

Forefront  makes  defending  your  systems  easier.  It's  a  simple-to-use,  integrated 
family  of  client  server,  and  edge  security  products  (such  as  lAG  2(X)7)  that  helps 
you  stay  ahead  of  your  security  threats  more  easily  than  ever. 

For  case  studies,  free  trials,  demos,  and  all  the  latest  moves,  visit  easyeasier.com 


to  come  to  work  put  a  well- 
rehearsed  contingency  plan 
into  effect. 

Pepperdine  sends  its 
backup  tapes  to  Iron  Moun¬ 
tain  Inc.  for  storage.  In  ad¬ 
dition.  copies  of  the  latest 
tape  backups  were  placed  in 
a  fireproof  safe.  The  school’s 
ERP  applications  were  shut 
down  as  a  precaution,  and 
the  hard  drives  were  re¬ 
moved  and  safely  stored. 

Chester  said  it  took  just 
35  minutes  to  do  all  of  that 
work,  which  was  completed 
before  8  a.m.  As  the  day 
wore  on,  firefighters  man¬ 
aged  to  keep  the  flames 
away  from  the  data  center, 
and  the  facility  never  went 
offline.  But  it  was  important 
to  be  prepared  for  the  worst, 
according  to  Chester. 

“The  wbtrie  purpose  of 
platming,’’  he  said,  “is  to 
make  sure  you’ve  always 


The  whole 
purpose  of 
planning  is  to  make 
sure  you’ve  always 
got  options  -  so 
that  when  you  find 
yourself  in  a  situa¬ 
tion,  you’re  familiar 
with  what  those 
options  are. 


IT Answers 
Cal  in 
CaHomia 
WUhres 

Tech  execs  put  backtp  plans 
and  new  systems  into  action  to 
help  cope  with  massive  blazes. 

By  Patrick  Thibodeau 


you  find  yourself  in  a  situ¬ 
ation,  you’re  fiuniliar  with 
what  those  options  are,  as 


jurpose  of  them  through  with  very 
aid,  “is  to  little  response  time.” 
ve  always  In  San  Diego,  massive 

io  that  when  wildfires  burning  in  and 


around  the  city  posed  a  real- 
world  test  for  technologies 
that  the  municipal  govem- 


opposed  to  having  to  think  I  ment  had  recently  installed. 


gency  response  <q>erations 
and  a  Reverse  911  system  for 
sending  alerts  to  residents. 

Matt  McGarvey,  San 
Diego’s  CIO,  said  last 
Wednesday  that  the  new 


installed  last  year.  The  col¬ 
laboration  technolc^,  devel¬ 
oped  by  ESi  Acquisition  Inc., 
works  similarly  to  a  message 
board  —  enabling  multiple 
users  to  post  updates  about 
events.  The  system  can  also 
be  used  to  share  files,  such 
as  CIS  maps  of  bum  and 
evacuation  areas. 

The  ability  to  rapidly  ex¬ 
change  information  gave  the 
city’s  emergency  response 


e-mail  alone  would  have, 
McGarvey  said. 

But  he  added  that  the 
new  system  has  also  cre¬ 
ated  some  challenges.  Last 
IViesday  night,  a  posting  er¬ 
roneously  indicated  that  one 
of  the  fires  had  spread  much 
farther  west  than  expected. 
McGarvey  said  the  incor¬ 
rect  information  prompted 
city  workers  to  b^n  pre¬ 
paring  for  a  situation  that 
didn’t  actually  exist 

What’s  needed,  he  added. 


For  you,  it’s  about  protecting  critical  systems 
without  getting  a  PhD  in  engineering. 

For  us,  it’s  about  making  sure  you  don’t  need  one. 


Power  and  cooling  have  become  critical  to  effective  IT  management.  But  do 
you  really  need  to  know  how  to  convert  kilowatts  to  BTUs,  or  understand 
how  resonant  converter  technology  increases  UPS  efficiency? 

With  a  network  of  local  representatives  that  average  more  than  20  years 
of  experience.  Emerson  Network  Power  and  its  Liebert  power  and  cooling 
technologies  make  it  easy  to  create  a  flexible  IT  infrastructure  that  delivers 
high  availability  and  low  cost  of  ownership.  Download  our  white  paper. 
Five  Technologies  Simplifying  Infrastructure  Management,  and  discover  how 
Liebert  technologies  can  make  your  job  easier,  at  experts.liebert.com. 


Liebert  expertise 


EMERSON 

Network  Power 


EMERSON.  CONSIDER  IT  SOLVED. 


On  the  Mark 

HOT  TRENDS  ■  NEW  PIIODUCT  NEWS  ■  IHDUSnrr  BUZZ  BY  MARK  HALL 


mup  DUDE.?/ 


ber,  looks  forward  by  adding  ultrahip 
PHP  and  JavaScript  support,  but  it 
also  looks  backward  at  the  antiquat¬ 
ed  source  code  running  in  your  dau 
center.  According  to  Barmak  Meftah, 
senior  vice  president  of  products  and 
services  at  Palo  Alto,  C^.-based 
Fortify,  Source  Code  Analyzer  5.0 
will  mclude  support  for  Cobol,  Visu¬ 
al  Basic  and  Active  Server  P^es.  He 


Get  Serious  About  Info  Integrity  cozy  up  to  Your  isp 


MADHAVAN  NAYAR  isn’t  surprised  that  58%  of  the  653  Corporate  networks  must  fend  for 

members  ofnnandal  Executives  International  who  themselves  against  malware  attack 

responded  to  its  2007  survey  said  their  “most  pervasive  But  Steve  Bannerman,  vice  preside 
critical  technology  concem”  is  information  integrity.  ofmarketing  and  product  manage- 
The  CEO  of  Infogix  Inc.  in  Naperville,  IlL,  says  the  top  Im.  in  Mountain  Vi 

financial  executives  at  large  companies  understand  that  “the  int^rity  of  CaM,beliwesth^inthen^futi 

information  carmot  be  taken  for  granted.”  You’d  think  IT  would  have 


policies  for  equip-  mation  integrity  their  highest  priority, 
ment  and  software.  Nayar  thinks  that  if  they  do,  theyll 

Phis,  he  notes,  many  have  strong  support  from  their  CFOs, 
ccunpanieshaveis-  _ 

lands  of  incomplete  SSCUrS  All  COQB 

or  isolated  informa-  Most  modem  software  development 

tion  and  use  lousy  shops  use  sophisticated  methods 

data-conversion  and  products  to  discover  security 

techniques.  Add  in  holes  in  their  code.  For  some  time, 

IT  complexity  and  Fortify  Software  Ina’s  Source  Code 
security  coiKems,  Analyzer  has  been  one  of  those  tools. 


:  of  Decern- 


SHARP 


It's  more  than  an  MFP.  It's  a  portal  to  seamless  integration. 


■  THE  GRILL 

Grady  Booch 

IBM  Ratfonars  ‘free  radicar  talks 
about  the  enduring  difficulties  of 
software  developiirient,  his  advocacy 
of  open  source  and  Second  Life,  and 
his  license  to  kill. 


ta  coMNnmtoRLD  October  29, 2007 


The  Industry’s  Most  Open, 

Versatile  Enterprise  Blade  Platform 


The  Sun  Blade”  6000  system  delivers  the  fastest  performance,  ease 
of  scalability  and  energy  efficiency— and  features  UltraSPARC? 
AMD  Opteron7  and  Intel*  Xeon*  processors.  Run  any  major  operating 
system  anywhere  in  the  datacenter,  all  with  the  server  that’s 
revolutionized  the  blade  category. 


For  25%  off  a  Sun  Blade  Starter  Kit  or  for  information  on  a  free 
6o-day  trial,  go  to  sun.com/getsunblades. 


■  THEORILLIORADYBOOCH 


The  OS  wars 


I  over.  Let’s 
decide  on  a  common 


pHUionn.  inoraiore, 
Limix  makes  sense. 


Continued  frompage28 

users  don't  want  to  see  that  software. 

Most  of  the  interesting  systems 
today  are  no  longer  just  systems  by 
themselves,  but  they  tend  to  be  sys¬ 
tems  of  systems.  It  is  the  set  of  them 
working  in  harmony.  We  don't  have  a 
lot  of  good  processes  or  analysis  tools 
to  really  understand  how  those  things 
behave.  Many  systems  look  danger¬ 
ously  fragile.  The  bad  news  is  they  ore 
fragile.  This  is  another  force  that  will 


tram  2003  ■cquMMunOMlaiial. 
Md  wM  «•  MUM  of  Ow  *n>bKlis 
^outbaiiVpartainiT  Tve  got  much 
cooler  business  cards. 

Now,  we're  dealing  with  an  organi¬ 
zation  that  is  two  orders  of  magnitude 
larger  and  operating  in  businesses  that 
[Rational]  had  no  traction  in. 

It  is  really  cool  working  with  brilliant 
people.  When  the  acquisition  was  first 
consummated,  one  of  my  first  tasks  was 
to  manage  the  IBM/Rational  research 
relationship.  There  are  some  really 
fasdnatiiig  thing,  going  on  there,  deal¬ 
ing  with  static  and  dynamic  analysis 
and  collaboration.  We  have  a  team  now 
looking  at  using  virtual  worlds  for  do¬ 
ing  distributed  software  development. 

When  you  have  an  oiganization  that 
is  100  times  larger,  there  is  a  little  bit 
more  bureaucracy.  DBM  asked  me]  to 
destroy  bureaucracy.  I  have  a  license 
to  kill,  so  to  speak.  IBM  is  a  target-rich 
environment. 


WlHlIiiawtidMMllHtlfMtsgfhi- 

■■  EdpM  M  pnpamminiT  Consider 
where  Rational  was  prior  to  Eclipse. 
We  had  to  split  our  loyalties  because 
there  was  a  variety  of  IDEs  [integrat¬ 
ed  development  environments]  that 
were  interesting  in  the  marketplace 
[and]  none  had  reached  critical  mass. 
We  worked  with  IBM  to  he^  make 
Eclipse  happen.  Now,  all  of  a  sudden. 
Eclipse  was  the  de  facto  standard. 
There  is  no  value  added  in  Rational 
building  an  IDE. 

[Open-source]  projects  that  have 
really  gotten  traction  represent  a  codi¬ 
fication  of  things  that  are  commodities. 
The  OS  wars  are  largely  over.  Let's  de¬ 
cide  on  a  common  pUtfiirm.  Theiefi>re, 

Open  source  represents  an  economic 
process  where  you  find  some  applica¬ 
tions  you  can't  make  money  on,  and  it 
makes  sense  for  us  as  an  industry  to 
pool  our  resources. 

VouniMtioMdlliaiyMlHMallicro- 

tMtWindawi-lMtaflwi.«nMleoinpirt- 

•n  da  yw  «M?  A  Macintosh  is  my 
main  machine.  I  carry  around  a  Palm 


ware  firewaU.  I've  got  a  2TB  file  server 
for  backup.  We  have  17  IP  addresses 
inside  [the  house].  When  I  traveL  I 
can  look  at  the  security  cameras  in  my 
house  and  look  in  on  the  cats. 

you  appawtd  at  Iha  moat  iMMt  IbiioiMl 

and  you  ham  gbaa  aouM  betaraa  In 
Saoand  Ufa.  What  allnwia  you  to  Sacand 
Ulo,  and  wind  do  you  maha  of  aomo  of  tho 
HioioraeontdofaellamhyeoaipMdMlhat 
ham  aaM  than  ara  iaat  not  onough  poopla 
In  Sacand  Ufa  to  maha  H  woilbwhla  to 
ham  a  graaanra  lhai«7  Virtual  worlds 
are  a  force  multiplier  for  me.  I  am  tm- 
der  such  demand  to  traveL  In  my  of¬ 
fice,  I  have  a  videoconferencing  system 
that  is  still  not  good  enough.  It  is  still 
just  talking  heads.  I  have  been  able  to 
expand  my  reach  by  using  Second  Life 
where  I  could  not  justify  the  time  and 
expense  to  travel. 

Maybe  those  companies  [that  have 
left  S^nd  Life]  got  in  there  for  the 
wrong  reasons.  Why  do  I  want  to  go  to 
Store  X  in  a  virtual  world? 

IBM  has  SO  or  so  islands  that  we 
own  [in  Second  Life].  We've  derived 
business  value  by  using  it  internally. 

I  can  look  at  the  lectures  I  have  done 
and  say,  “I  have  saved  IBM  money." 

H  you  WH«  back  h  Iha  ILS.  Air  Force 
AcadnytwhcraBcMhawiicdhlahach- 
ahwli  dagrM  in  1377]  tMfay.  whal  wadd 
you  chocH  to  iludyT  I  would  want  to  be 
an  astronaut.  Tbe  economics  of  that 
business  are  so  different  now.  It  used 
to  be  that  NASA  and  the  government 
had  the  stronghold  on  space  traveL  Tbe 
generation  after  us  —  they're  probably 
going  to  go  to  space.  Good  for  them. 


pilaad  you  Iha  UMot  hi  Iha  pact  dacadU?  I 

am  not  easily  surprised.  I  will  honestly 
say  I  am  not  sure  I  have  been  surprised. 

I  read  a  heap  of  bist^y.  I  am  so  at¬ 
tuned  to  the  social  and  historical  things 
that  have  gone  on  that  I  see  virtually 
everything  that  has  bajpened  as  evolu¬ 
tionary  rather  than  revolutionary. 

I  haven't  seen  any  revolutions. 

Heck,  I  had  my  first  e-mail  address  in 


BURIED  BENEATH  MANILA  FOLDERS  FILLED  WITH  MISRLED  SOFTWARE  UCENSES. 


Discover  ZENworks.  Asset  Management  from  NovelU.  Infrastructure  for  Innovationr 

Not  only  does  ZENworks.  Asset  Management  track  and  deliver  the  most  comprehensive  view  of  your  IT  assets  as 
they  multiply,  it  pays  for  itself  in  no  time.  From  asset,  patch,  desktop  and  server  management  to  personality  migration 
and  software  packaging,  ZENworks.  systems  management  solutions  automatically  deploy,  manage  and  maintain 
all  of  your  IT  resources  across  your  entire  enterprise  -  on  and  offline.  So  you  can  reduce  IT  effort  and  costs  and  put 
your  resources  to  better  use.  Just  one  more  piece  of  the  Open  Enterprise:  ali  the  infrastructure  it  takes  to  innovate. 

Novell. 

This  Is  Your  Open  Enterprise.” 


Innovate  today  at  www.novell.com/manage 


■  OPINION 

Thornton  A.  May 


All  of  ITs  Spinning 
PiatesAreFaiiing 


aflom.  Most  of  us,  none¬ 
theless,  have  primitive 
development  programs  in 
place  for  senior  IT  staff! 
Fix  this  or  fail  —  it's  that 
simple.  Your  good  people 
will  leave,  and  you  wont 
be  able  to  afford  the  skills 


Many  new  CIOs  slam  into  an  ugly  truth  at 

about  one  month  in;  The  job  is  too  big.  There’s 
too  much  to  know  and  not  enough  time  to  learn 
it  There’s  too  much  to  do  and  not  enough 
hands  to  plug  all  the  holes  in  the  dike.  There  are  too  many  re¬ 
lationships  to  be  managed  and  not  enough  days  in  the  week 


to  manage  them. 

Thus,  we  have  the 
recurring  sad  saga  of 
plate-spinning  IT  lead¬ 
ers  desperately  trying  to 
keep  enough  crockery 
from  smashing  into  bits 
to  preserve  a  modicum  of 
job  security.  So  intent  are 
they  on  this  balancing  act 
that  they  have  no  way  to 
see  that  it’s  doomed. 

That’s  because  the 
three  plates  that  give 
them  the  most  trouble 
are  already  broken.  And 
yet  they  play  a  vital  role 
in  the  equilibrium  of  all 
the  others.  If  you  could 
pit^riy  repair  them,  you 
could  spin  them  innova- 
tively.  This  would  simpli¬ 
fy  your  life,  reduce  your 
workload  and  set  you  up 
for  a  gratifying,  less  fren¬ 
zied  career,  while  adding 
substantive  value  to  the 
enterprise. 

What’s  on  these  plates? 
Three  challenges  we’ve 


never  put  behind  us:  how 
to  sell  rr,  how  to  develop 
a  world-class  staff,  and 
how  to  communicate 
activity-based  IT  costs. 

I  first  encountered  all 
this  broken  crockery 
years  3^  during  a  boot 
camp  for  new  CIOs.  In 
Stage  1,  Harvard  Busi¬ 
ness  School  types  told 
the  newbies  what  they 
could  expect.  After  the 
newbies  had  gained  some 
on-the-job  experience, 
they  reconvened  fi>r  Stage 
2  to  share  what  they  had 
learned.  Stage  3  was  to  be 
a  discussion  of  best  prac¬ 
tices,  but  we  never  got  that 
for.  Midway  through  Stage 


■  New  CIOs 
soon  see  that 


■  mil  n filial  ■■  Im 

SOnMiranQ  IS 

systsmicaly 
Wintheway 
IT  is  done. 


2,  as  we  listened  to  stories 
from  the  front  lines,  a  hy¬ 
pothesis  started  to  emerge: 
There  was  something  sys- 
temkally  “off"  about  the 
way  IT  was  being  done. 

Since  then,  I’ve  given 
a  lot  of  thought  to  those 
three  big  challenges  and 
how  to  restore  some 
equilibrium  to  IT.  These 
are  my  conclusions: 

WaAouMnllM  trying 
to  Ml  IT  at  aL  Customers 
should  be  clamoring  for 
oiu-  help.  At  this  point, 
ITs  ability  to  creatively 
solve  problems  should 
make  every  line-of- 
business  leader  see  that 
they  would  be  crazy  not 
to  spend  time  with  us. 
Customers  should  be  able 
to  tell  us  which  off-the- 
shelf  infrastructure,  data 
and  storage  components 
we  could  combine  to  give 
them  what  they  need. 

Waara  only  M  good  as 
ihs  gsagb  In  aw  IT  oigani- 


you’U  need  to  buy  on  the 
spot  market. 

aceoHil  far  nthat  aM  apaad 
and  how  wo  anabla  ths  fii- 

two.  Let’s  be  honest  with 
ourselves  —  many  execu¬ 
tives  don’t  know  what  we 
do.  This  is  unsustain¬ 
able  ignorance  that  has 
given  rise  to  a  Dicken¬ 
sian  IT  funding  model: 
Please,  sir,  may  I  have 
some  more?  It  is  almost 
unheard  of  to  be  able 
to  fund  infrrastructure 
investment  —  unless  a 
law  like  Sarbanes-Oxley 
makes  it  unavoidable.  It 
is  similaiiy  extraordinary 
for  enterprises  to  fund 
h^-risk  technology  ven- 
ttues.  Thus,  the  two  pil¬ 
lars  of  competitive  dif¬ 
ferentiation  —  innovation 
and  infrastructure  —  are 
outside  the  purview  of 
traditional  IT  funding 
models.  This  is  wrong, 
and  it  must  change. 

What  are  you  waiting 
for?  That  crockery  isn’t 
going  to  repair  itself.  ■ 

Thondgn  A.  May  is  a  lortg- 

time  industry  observer, 
management  consultant 
and  commentator.  You 
can  contact  him  at 
thomtonamay@aoLcom. 


n  MtmrnwoMJt  October  29. 2007 


Sior;iLic  \Li\\orkin;4  Worlti  proiiill' 
.innoiiiKctI  the  results  ol'tlie  'Hesi 
Pruetiees  in  sioraue"  \\\;u\ls  Pre^eraii!, 
1  Ills  I'lroerani  huners  11  users 

"Pest  I’raetiee"  ease  siiRlies  seleeteP 
iVoiu  a  field  uftiualiried  finalisiv 


Alston  &  Bird.  LLP,  Atlanta,  Georgia 


Memorial  Sloan-Kettering  Cancer  Center,  New  York.  New  York 


US  Army  Corps  of  Engineers,  Huntington  District,  Huntington, 
West  Virginia 


Raymond  James  Financial,  St.  Petersburg,  Florida 


Bhics  in  IT 


COVER  STORY 


1  lirk  sLVivts  uuK  iriuhs.  AiiJ  li(lk‘i:iii(.iaikv.  by  tam  harbert 


what  Bryan  foiHKl  on  an  aixeciitives  «Mn|Miter 

six  years  ago  still  weighs  heavily  on  his  mind.  He’s  par- 
ticulariy  troubled  that  the  man  he  discovered  using  a 
company  PC  to  view  pornography  of  Asian  women  and 
of  children  was  subsequently  promoted  and  moved 
to  China  tO  run  a  mannfiirtnring  plant.  B  “To  this  day,  I 
regret  not  taking  that  stuff  to  the  FBI,”  says  Bryan.  B  It 
happened  when  Bryan,  who  asked  that  hk  last  name  not 
be  published,  was  IT  director  at  the  U.S.  division  of  a 
$500  million  multinational  corporation  based  in  Germany. 


The  company's  Internet  usage  policy, 
which  Bryan  helped  develop  with  input 
from  senior  management,  prohibited 
the  use  of  company  computers  to  ac¬ 
cess  pornographic  or  adult-content 
Web  sites.  One  of  Bryan's  duties  was  to 
monitor  employee  Web  surfing  using 
products  fh>m  SurfControl  PLC  and  re¬ 
port  any  violations  to  management 

Bryan  knew  that  the  executive,  who 
was  a  level  above  him  in  another  de¬ 
partment,  was  popular  within  both  the 
U.S.  division  and  the  German  parent. 
But  when  the  tools  turned  up  dozens 
of  pornographic  Web  sites  visited  by 
the  exec's  computer,  Bryan  followed 
the  policy.  That's  what  it's  there  for.  I 
wasn’t  going  to  get  into  trouble  for  fol¬ 
lowing  the  policy,”  he  reasoned. 

So  he  went  to  his  manager  with  cop¬ 
ies  of  the  Web  logs  (which  he  still  has 
in  his  possession  and  made  available  to 
Computenvorid  for  verification). 

POWER  AND  RESPONSIBILITY 

Bryan's  case  is  a  good  example  of  the 
ethical  dilemmas  that  IT  workers  may 
encounter  on  the  job.  IT  employees 
have  privileged  access  to  digital  in¬ 
formation,  both  personal  and  profes¬ 
sional,  throughout  the  company,  and 
they  have  the  technical  prowess  to 
man^Hilate  that  information. 

That  gives  them  both  the  power  and 
responsibility  to  monitor  and  report 
employees  who  break  company  rules. 
IT  profiKsionals  may  also  uncover  evi¬ 
dence  that  a  co-worker  is,  say,  embez¬ 


zling  funds,  or  they  could  be  tempted 
to  peek  at  private  salary  information 
or  personal  e-mails.  But  there’s  little 
guidance  on  what  to  do  in  these  un¬ 
comfortable  situations. 

In  the  case  of  the  porn-viewing  execu- 


In  tht  spring  of  IMi  year,  stourity 
<«ndarCybar-AriiSoltwvelid.eon- 
ductad  a  sunny  In  which  one-ltaM 
of  200  IT  aniployaas  who  napondsd 

nyq^maodpaaklrioD^^ 
bifonnation  such  as  sataiy  data.  A 
pollofinonlhan1fU)00U.S.ITprac- 
tWonan  conduclad  in  June  2007  by 
tha  Ponamon  kistiliite  rctunwd  thasa 
aqualy  dteluriiing  hndhigs: 

■  62%  of  rr  ampfoyaas  poNad  said 

'1iSO%saU^hBdMd^ 
danOal  or  sanaithn  information  with¬ 
out  a  tagWmata  raasan. 

■  42%  said  thay  had  knowingly 
vioiatad  thab  company's  privacy, 
sacurityorlTpoicias. 

■  32%  of  tha  raspondants  wars  at 

avaraga  axpaiianca  laval  was  8.4 

-TAMHARBEliT 


tive,  Bryan  didn't  get  into  trouble,  but 
neither  did  the  executive,  who  came  up 
with  “a  pretty  outlandish  explanation” 
that  the  company  accepted,  Bryan  says. 
He  consdeted  going  to  the  FBI,  but  the 
Internet  bubble  had  just  burst,  and  jobs 
were  hard  to  come  by.  “It  was  a  tough 
choice,”  Bryan  says.  “[But]  I  had  a  fam¬ 
ily  to  feed.” 

In  theory,  ethical  behavior  is  gov¬ 
erned  by  laws,  corporate  policy, 
professional  ethics  and  personal 
judgment.  But  as  IT  pros  discover  all 
the  time,  finding  a  way  through  that 
thorny  thicket  can  be  one  ^  the  most 

Perhaps  it  would  ease  Bryan's  con¬ 
science  to  know  that  he  did  just  what 
labor  attorney  Linn  Hynds,  a  senior 
partner  at  Honigman  Miller  Schwartz 
and  Cohn  LLP,  would  have  advised  in 
his  case.  “Let  the  company  handle  it,” 
she  says.  “Make  sure  you  report  viola- 
tfons  to  the  right  person  in  your  com¬ 
pany,  and  show  them  the  evidence.  Af¬ 
ter  that,  leave  it  to  the  people  who  are 
supposed  to  be  making  that  decision.” 

nCKMO  UP  THE  SLACK 

Ideally,  corporate  policy  takes  over 

place  ethics  to  clear  up  gray  areas  and 
remove  personal  judgment  fimn  the 
equation  as  much  as  possible. 

“If  you  don't  set  out  your  policy  and 
your  guidelines,  if  you  don't  make  sure 
that  people  know  what  they  ate  and 
understand  them,  you’re  in  no  position 
to  hold  [workers]  accountable,"  says 
John  Reece,  a  former  CIO  at  the  Inter¬ 
nal  Revenue  Service  and  Time  Warner 
Inc.  Having  clear  ethical  guidelines 
also  lets  employees  off  the  hook  emo¬ 
tionally  if  the  person  they  discover 
breaki^  the  poUcy  is  a  friend,  a  direct 
repent  or  a  supervisor,  says  Reece, 
who  is  now  head  of  consultancy  John 
C.  Reece  and  Associates  LLC. 

That  policy  should  warn  all  employ¬ 
ees  that  their  PCs  are  company  prop¬ 
erty,  and  therefore  any  information 
on  them  is  fair  game  for  investigation, 
says  Art  Crane,  principal  of  Capstone 
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Services,  a  huoian  resources  consul¬ 
tancy.  It  should  provide  clear  instruc¬ 
tions  on  what  to  do  when  enqtloyees 
encounter  a  violation  of  the  poli^,  in¬ 
cluding  guidance  on  how  to  bring  it  up 

the  chain  of  command.  It  should  also 
have  whistle-blower  provisions  that 
protect  employees  from  retaliation. 

But  many  corporate  policies  are  ill 
defined,  frtil  to  keep  up  with  new  tech¬ 
nologies  and  are  pooiiy  communicated 
to  the  rr  departi^t. 

That’s  partly  because  ethics 
policies  ate  typically  defined  by  an 
organization's  lawyers  or  regulatory 
compliance  staff,  says  Larry  Ponemon, 
chairman  of  Ponemon  Institute  LLC, 
a  research  company  that  specializes 
in  privacy  and  data  protection.  “These 
folks  may  not  fully  understand  or  re¬ 
spect  the  complezities  that  IT-related 
ethical  issues  create,”  he  notes. 


TMUBLES.  PAST  AND  FUTURE 

Organizations  that  have  policies  in 
place  often  focus  on  areas  where  they 
had  trouble  in  the  past  or  emphasize 
whatever  they  are  most  worried  about. 
When  Reece  was  at  the  HtS,  for  exam¬ 
ple,  the  biggest  emphasis  was  on  pro¬ 
tecting  the  confidentiaUty  of  taxpayer 
information,  he  says. 

At  the  U.S.  Department  of  Defense, 
policies  usually  emphasize  procure¬ 
ment  rules,  notes  Stephen  Northcutt, 
president  of  the  SANS  Technology 
Institute  and  author  of  IT  Ethics  Hand¬ 
book  Right  and  Wrong  far  IT  Pro/es- 
sionals  (Syngress,  2004). 

Adding  to  the  complexity,  an  orga¬ 
nization  that  depends  on  highly  skilled 
workers  might  be  more  lenient.  When 
Northcutt  woiked  in  IT  security  at  the 
Naval  Surfoce  War&re  Center  in  Vir¬ 
ginia,  it  was  a  rarefied  atmosphere  of 
highly  sought-after  P1lD.s.  ‘I  was  told 
pretty  clearly  that  if  1  made  a  whole  lot 
of  Ph.D.s  very  unhappy  so  that  they 

anymore,”  says  Northcutt. 

Of  course,  that  wasn’t  written  in 
any  policy  manual,  so  Northcutt  had 
to  read  between  the  lines.  “The  way  I 
interpreted  it  was:  Child  pornography, 
tumthatin,”hesays.“Butifthel^- 
ing  mathematician  wants  to  download 
some  pictures  of  naked  girls,  they 

didn’t  want  to  hear  from  me.” 

Northcutt  says  that  he  did  find  child 


SomsoompiilingaraupshiMiia- 
vriopad,  or  are  woifcing  to  sstabRsh. 
ethics  cedts  for  IT. 

The  Anodatton  for  Computing 
Machinaty  and  the  Assoclatton  of 
InformatianTaehnatogyProfas- 
sionds.  for  exampla,  have  adopted 
geoaralzad  ethics  codes.  And  the 
InstitutsofElaetricalandElsetron- 
ics  Enginaere  bw.  has  both  a  gen¬ 
eral  code  of  ethics  and  a  software 
engbiearlng  code  of  ethics. 

The  folowing  cartihcation  groups 


sorfiumbic. 


■  bdormatioo  Systsnn  Security 
Association  Inc. 
basis  bitarnational 
H  a  univaraal  code  to  adopted,  the 
next  step  would  be  standards  of 
practica  that  would  seres  as  teeth 
behind  the  code  -  a  soil  of  Ameri¬ 
can  Bar  Association  for  IT.  H  an  IT 
worker  violatsd  the  standards,  in 
theory  ha  might  be  “dbbarrs(r  from 
the  profession. 

-TAMHARBERT 


pom  on  two  occasions  and  that  both 
events  led  to  prosecution.  As  for  other 
offensive  photos  that  he  encountered. 
Northcutt  pointed  out  to  his  superiors 
that  there  might  be  a  legal  liability, 
citing  a  Supreme  Court  decision  that 
found  that  siinilar  pictures  at  a  mili¬ 
tary  installation  indicated  a  pervasive 
atmosphere  of  sexual  harassment 
That  did  the  trkk.  “Once  they  saw 
that  law  was  involved,  they  were  more 
willing  to  change  culture  and  policy,” 
Northcutt  says. 

When  policies  aren’t  clear,  ethical 
decisions  ate  left  to  the  judgment  of  rr 
I  enqrloyees,  which  varies  by  person  and 


the  particular  circumstances. 

Fbr  example,  Gary,  a  director  of 
technology  at  a  nonprofit  organiza¬ 
tion  in  the  Midwest,  flat-out  refused 
when  the  assistant  CEO  wanted  to  use 
a  mailing  list  that  a  new  employee  had 
stden  from  her  former  employer.  But 
Gary,  who  asked  that  his  1^  name 
not  be  used,  didn’t  stop  his  boss  from 
installing  unlicensed  software  on  PCs 
for  a  short  time,  though  he  refused 
to  do  it  himself.  "The  question  is, 
how  much  was  it  really  going  to  hurt 
anybody?  We  were  still  going  to  have 
99.5%  compliant  software.  I  was  OK 
with  that.”  He  says  he  uninstalled  it, 
with  his  boss’s  approval,  as  soon  as  he 
could  —  about  a  wedc  later. 

Northcutt  argues  that  the  IT  pro¬ 
fession  should  have  two  things  that 
professions  such  as  law  or  accounting 
have  had  for  years:  a  code  of  ethics 
and  standards  of  practice.  That  way, 
when  company  policy  is  nonexistent 
or  unclear,  IT  professionals  still  have 
standards  to  fall  back  on. 

That  might  be  useful  for  Tun,  a 
systems  administrator  who  works  at 
a  Fortune  500  agricultural  business. 
When  Tim,  who  asked  that  his  last 
name  not  be  published,  happened 
across  an  unencrypted  spreadsheet 
of  salary  information  on  a  manager’s 
PC.  he  copied  it  He  didn’t  share  the 
information  with  anyone  or  use  it  to 
his  advantage.  It  was  an  impulsive  act, 
he  admits,  that  stemmed  from  frustra¬ 
tion  with  his  employer.  “I  didn’t  take  it 
for  nefarious  reasons;  I  just  took  it  to 
prove  that  I  could,”  he  says. 

Tim’s  actions  point  to  a  disturbing 
trend:  rr  workers  justifying  their  ethi¬ 
cally  questionable  behavior.  That  path 
can  eiid  in  criminal  activity,  says  fraud 
investigator  Chuck  MarteU.  “We  started 
seeing  a  few  cases  about  seven  or  eight 
years  ago,”  says  MarteU,  managing 
director  of  investigative  services  at 
Veritas  Global  LLC,  a  security  firm  in 
Southfield,  Mich.  “Now  we’re  [investi¬ 
gating]  a  tremendous  amount  of  them.” 

Whichever  side  of  the  line  they’re 
on.  IT  workers  wiU  —  for  now  at  least 
—  continue  to  muddle  through  ethical 
dilemmas  on  their  own  and  wrestle 
with  their  consciences  afterward.  ■ 
Htobirt  is  a  Washington-based  fredance 
journalist  specializing  in  technology, 
business  and  public  policy. 
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A  Smorgasbord  of  State  Requirements 


( '.iintimied  from  page  38 

lent:c'  of  coordination  across 
multiple  disciplines  is  more 
difficult."  Rosembaum  notes. 

Moreover,  it  takes  corpo¬ 
rate  vigilance  to  keep  pace 
with  so  many  differences  in 

cation  triggers.  Some  states 
require  notification  only  if  a 
breach  is  likely  to  harm  indi¬ 
viduals.  Others  force  compa- 


18  stales  and  Washington.  D  C. 
requite  notification  of  any  breach 
■  20  stales  require  notification 
only  when  risk  of  harm  is  present 


38  stales  provide  lot  ev  24  stales  require  notihcalion  ol  gov- 
emptions  it  compromised  ernment  olhcers  or  agencies  such  rr 
dala  was  encrypted  the  stale  attorney  general,  the  consum.. 


a  privacy  and  data  security 
consultant  at  the  Cyber  Se¬ 
curity  Industry  Alliance  in 
Arlington.  Va. 

And  as  Bananas.com 
learned,  the  high  cost  of 
notification  compliance 
doesn't  stop  with  the  re¬ 
sources  it  takes  to  coordi- 


expanded  upon  legislation 
that  only  existed  at  the  time 
in  California  and  opted  to 

tion  of  potentially  affected 
consumers,  without  any  state 
or  federal  law  requiring  us 
to  do  so.”  says  Christopher 
Cwalina.  ChoicePoinfs  assis- 


ment  affairs  team  and  legal 
department  to  track  the  laws 
and  monitor  compliance  in 

Large  or  small,  companies 
should  plan  ahead  to  lessen 
the  burden  of  notification  in 
the  event  of  a  data  breach. 
"Encryption  is  the  single 


demands  of  state  regulators 
and  credit  card  companies. 
The  goal,  says  Cwalina. 

gate  thoroughly  and  notify 
promptly.”  ■ 

McAdams  is  a  freelance  writer 
in  Vienna,  Va.  Contact  her  at 
IMTechWriter@aol.com. 
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Continued  from  page  38 
fice  may  have  the  ability  to 
provide  greater  focus  on  in¬ 
dividual  issues,  but  the  chal- 
lenge  of  coordination  across 
multiple  discqdines  is  more 


Moreover,  it  takes  corp 
rate  vigilance  to  keep  pac 
with  so  many  difierences 
state  disclosure  laws — V 
atkms  that  start  with  nod 
cation  triggers.  Some  stat 


require  notification  only  if  a 
breach  is  likely  to  harm  indi¬ 
viduals.  Others  force  compa- 


breach  that  compromises 
the  security  or  confidential¬ 
ity  of  cove^  personal  in- 
fbrmadon  triggers  the  obli¬ 
gation  to  notify  the  affected 
individuals,''  notes  Thomas 
Smedin^off  a  partner  at 
Chicago  law  firm  Wildman, 
Harrold. 

The  timing  on  triggers 
also  varies.  “Some  states 
require  that  consumers  be 
notifiedwhentbeirinfinnia- 
don  is  lost  Other  states  will 
allow  the  breached  endty  to 
perform  some  analysis  to  de¬ 
termine  the  degree  of  risk  to 
c^um^  says  Jor^^, 


RossinCo.inMiami.  and  fines,”  says  Scott 

Notification  triggers  aren't 

the  only  differences  among  DAMAOE  CONTROL 

state  laws.  For  example,  al-  The  team  at  ChoicePtHnt 

thoi^  one  state  mi^  allow  Inc.  knows  all  too  well  the 

exemptions  for  compromises  complexities  of  navigating 
ofencrypted  data,  “another  state  disclosure  laws.  After 

state  without  such  an  excep-  a  data  breach  two  years  ago, 

don  would  require  a  notice,  the  Alpharetta,  Ga.-based 
even  though  the  data  was  company  dashed  out  notices 
unreadaUe,”  says  Geoff  Gray,  to  about  163,000  pet^le  “We 

a  privacy  and  data  security  expanded  upon  legislation 
consultant  at  the  Cyber  Se-  that  only  existed  at  the  time 

curity  Industry  Alliance  in  in  California  and  opted  to 

Arlington,  Va.  make  nationwide  nodfica- 

AndasBananas.com  don  of  potentially  affected 

learned,  the  high  cost  of  consumers,  without  any  state 

notification  compliance  or  federal  law  requiring  us 
doesn't  stcqi  with  the  re-  to  do  so,”  says  Christopher 
sources  it  takes  to  coordi-  Cwalina.  ChoicePoint's  assis- 


The  company's  woes  made  pact  of  data  breaches,”  says 
headlines,  but  the  incident  Scott.  “Under  most  privacy 

also  prompted  it  to  codify  statutes,  if  you.have  erunyp- 

breach  management  plans  don,  you  get  a  free  pass 

and  assemble  a  response  from  notification.” 
team.  Its  policy  now  “lists  all  Butwithorwithouten- 

enacted  state  data  breach  no-  crypdon,  it's  wise  to  devise  a 
tificationlaws,aswellasthe  strata  for  disclosure  in  the 
unique  requirements  of  each  event  ofa  breach.  Companies 
law,”  Cwalina  says.  should  have  a  team  in  place 

In  addition,  ChoicePoint  that  can  assess  the  scope 
leans  heavily  on  its  govern-  of  damage  and  meet  the 
ment  affairs  team  and  legal  demands  of  state  regulators 

department  to  track  the  laws  and  credit  card  companies, 
and  monitor  compliance  in  The  goal,  says  Cwalina, 

the  event  of  a  breach.  is  to  “act  quickly,  investi- 

Large  or  small  companies  gate  thoroughly  and  irotify 
should  plan  ahead  to  lessen  promptly.”  ■ 
the  burden  of  notification  in  Mekiam  is  a  freelancx  writer 

the  event  of  a  data  breach.  in  Vienna,  Va.  Contact  her  at 

“Encryption  is  the  single  JMIiscliWriter@aoLcom. 
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■  SECURITY  HANAUER^  JOURRAL I CJ.  KELLY 


TrouHe 

Ticket 


Security  Issues 
Are  Everywhere 

A  security  manager’s  job  is  never  done, 
but  it  helps  if  everyone  in  the  agency  has 

been  trained  to  recognize  trouble. 


SOMETHING  that 
arose  last  Yvedc 
shows  that  secu¬ 
rity  is  a  never- 
ending  battle,  but 
it  also  demonstrates  the 
importance  of  making  ey- 
eryone  security-conscious. 

The  latest  security  lapse 
in  my  state  agency  was 
brou^  to  my  attention  by 
the  IT  program  manager 
in  char^  of  the  contract 
with  the  vendor  that  han¬ 
dles  the  processing  of  the 
agency’s  Medicaid  claims. 
(Most  of  us  at  the  agency 
had  been  blissfully  igno¬ 
rant  of  it.)  Currei^,  he  is 
woridng  with  the  account¬ 

ing  department  to  figure 
out  bow  to  reduce  copying 
and  mailing  costs. 

The  vendor  in  question 

to  the  tune  of  about  $1  mil¬ 
lion  a  year.  I’m  all  for  sav¬ 
ing  taxpayers  money,  but 
why  does  it  always  seem 
that  even  our  cost-cutting 
initiatives  raise  our  secu¬ 
rity  risks? 

—  let’s  call  him  Pete  — 
hadn’t  always  been  very 
aware  of  security  issues, 
but  he  and  I  had  been 
woiking  together  on  en¬ 
suring  that  the  qrpropriate 
language  outlining  niir 


security  requirements 
was  irrctud^  in  all  our 
vendor  contracts  and  re¬ 
quests  ibr  proposals.  His 
new  awareness  came  to 
the  fore  when  he  toured 
the  state’s  copy  arrd  distri¬ 
bution  center  and  its  tnail- 

could  pull  the  copying  and 
mailing  in-house  to  save 
some  money. 

What  Pete  found  was 
that  our  agency  regularly 
sends  boxes  of  letters  con¬ 
taining  protected  health 
information  to  the  state 
copy  center  to  be  stufiTed 
into  envelopes  and  then 
mailed  by  the  state  mail- 

Pete  has  spent  enough 
time  with  me  lately  that 
this  process  triggered  se- 
orrity  alarm  bells  inside 
his  head.  We’re  answerable 
to  the  strictirres  of  HIPAA. 
Pete  asked  his  tour  guide 
about  the  copy  center’s 
secrrrity  procedures  and 
learned  that  there  weren’t 
any,  really.  Although  key- 


■  Pate  has  siMnt 
enough  time  wvilh 
me  that  security 
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code  access  readers  had 
been  installed  on  all  the 
doors,  they  had  never 
been  activated.  Internal 
doors  weren’t  locked,  and 
employees  moved  about 
freely. 

'The  boxes  of  letters 
are  picked  up  by  a  state 
van  and  delivered  to  the 
copy  room,  vriiere  they 
are  stacked  with  all  the 
other  agency  requests  and 
processed  on  a  first-come, 
first-served  basis.  So  they 
are  transported  insecurely 
and  then  left  unattended  in 

a  room  with  lax  security.  I 

was  starting  to  get  a  he^ 
ache. 

told  Pete  that  he  would 
happy  to  comply  with  any 


had  and  would  be  open  to 
the  idea  of  us  giving  his 
staff  security  training. 


nUSMe  AWARENESS 

When  Pete  told  me  all 
this,  1  pulled  in  the  HIPAA 
privacy  officer,  who  asked 
what  type  of  information 
was  printed  on  those  let¬ 
ters.  It  couldn’t  have  been 
worse:  Social  Security 
numbers,  names,  address¬ 
es,  Medicaid  informatioa 
I  thought  we  both  were  go¬ 
ing  to  faint  dead  away. 


taMngMPAA-pratMtod 
hMlthlnfonnalianarR 
tninahandM  laxly. 


ACnON  PUN:  Rate 
awaranaas  of  saeurity  b- 

ofthiaonaagancy. 


The  privacy  officer 
then  had  a  talk  with  the 
program  manager  whose 
departnaem  was  sending 
these  documents  to  the 
copy  room.  She  learned 
that  the  letters  containing 
the  sensitive  information 
were  being  sent  out  to  peo¬ 
ple  so  they  could  confirm 
that  all  of  their  informa¬ 
tion  was  correct.  We  are 
now  looking  at  whether 
this  procedure  needs  to  be 

Because  the  copy  center 
and  the  mailroom  are  in 
two  separate  sute  agen¬ 
cies,  we  need  to  talk  to 
the  administrators  of  each 

agency  about  the  need  to 

handle  our  sensitive  inform 


mation  securely.  We  will 
probably  want  both  to  sign 

HIPAA  business-associate 

agreements,  which  would 

'  ne  the  agencies'  re¬ 
sponsibilities  in  protecting 
information. 
Andwearecer- 
tainlygoingto  OJOMM 
have  to  do  some 


lead  to  another  security 
lapse  being  uncovered  be¬ 
fore  it’s  too  late.  ■ 

This  wedc's  journal  is  writ¬ 
ten  by  a  real  security  man¬ 
ager. ‘CJ.Kiarr  whose 
name  and  engrioyer  have 
been  disguised  obvious 
reasons.  Contact  her  at 
msqkelly@yahoocom. 


Stop  missing  critical  events. 

Fof  a  trusted  approach  to  probletTi  resolution  rely  on  the  Network  Instruments* 
GlgaStor”  appliance.  Everything  is  recorded— every  packet,  every  protocol,  every 
transaction  for  hours,  days,  even  weeks.  The  unique  GlgaStor  internee  provides  an 
eliective  way  to  go  back  in  time  to  determine  not  only  when  the  application  went 
down  but  why. 

Resolve  Intermittent  network  problems,  track  compliance  efforts.  Isolate  VOIP  call 
quality  Issues,  and  more  on  the  most  complex  WAN,  GigabK,  and  1 0  GbE  networks. 
Find  out  how  you  can  turn  back  the  clock  with  the  GlgaStor.  After  all,  your  network 
history  shouldn't  be  a  thing  of  the  past 

^GlgaStor:  Get  proof.  Take  action.  Move  forward. 


Learn  more  about  GlgaStor.  800-566-091 9 

www.Networklnstruinents.coiTi/Tiine 
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the  acceptance  of  business 
units  and  application  devel¬ 
opers.  "I  feh  like  we  weren’t 
making  progress  for  a 
while.”  Tibbling  says. 

Con-way's  logistics  group 
had  experienced  false  starts 
with  EA  in  the  past  Some 

employees  sensed  that  en¬ 

terprise  architects  had  an 
ivory-tower  mentaiity.  “It 

was  viewed  as  added  cost 
and  waste,”  'nbUing  says. 


THEORY  TO  PRACTICE 

How  well  EA  teams  and 
CIOs  at  companies  such 
as  Con-way  bridge  the  gap 
between  the  theoretical  and 
the  practical  is  crucial  to 
their  survival,  according  to 
consultant  Brenda  Michel- 
son,  a  former  chief  enter¬ 
prise  architect  at  L.L.Bean 
Inc.  in  Freeport,  Maine. 

EA  teams  were  first  cre¬ 
ated  to  rationalize  what  was 
going  on  in  IT,  she  explains. 
Their  initial  work  may  have 


vith  approved  product  lists, 
iut  now  architects  take  a 
note  active  role,  often  lead- 
ng  major  initiatives  such 


ey  are  more  involved  in 
nibstantive  things  —  helping 
project  teams  do  their  jobs,” 
Michekon  says. 

But  there’s  a  downside. 
“Historically,  some  have 
been  guilty  of  seeing  the 
irchitecture  as  an  end,  as 
something  they  create  and 
[hen  hand  off,”  she  adds. 

For  instance,  EA  is  man¬ 
dated  within  the  federal 
government,  so  EA  plans 
are  being  produced  —  but 
they  aren’t  always  used,  Mi- 
chelson  says.  Also,  because 
some  people  on  EA  teams 
haven’t  been  in  a  delivery 
role  for  some  time,  they  can 
lose  touch  with  the  needs  of 
teams  that  are  delivery- 
focused,  she  says. 

Michelson,  now  principal 


of  Elemental  Links,  an  IT  ad¬ 
visory  firm  in  Gray,  Maine, 
bases  her  consulting  work  on 
her  experience  at  L.L.Bean, 
where  she  founded  the  EA 
group.  She  remembers  early 
on  hearing  comments  like 
‘Oh,  you’re  the  one  who 
writes  all  those  white  pa- 


and  achieved  concrete 
results,  introducing  event- 
driven  architecture  and  SOA 
initiatives.  (An  event-driven 
architectuie  is  bulk  to 
respond  to  change.  For  ex¬ 
ample,  when  a  shopper  buys 
an  L.L.Bean  shirt,  the  shirt 
changes  from  “inventory  for 
sale”  to  “sold  goods.”) 


TEAM-BUILDINO 

At  Cfon-way,  Barretu  and  her 
EA  leaders  faced  the  delicate 
task  of  forging  an  EA  team 
from  two  business  units, 
freight  and  logistics.  Only 
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freight  had  any  architectural 
experience.  The  EA  practice 
there  had  grown  up  organi¬ 
cally.  They  had  started  work¬ 
ing  on  projects  in  an  ad  hoc 
way,  arid  as  they  gained  trust, 
people  began  to  ask  them 
what  principles  should  guide 
their  work,  Tibbling  says. 

Most  of  the  members  of 
the  initial  EA  team  came 
from  freight  because  EA 
was  a  foreign  concept  to 
many  in  the  logistics  unit 
They’d  had  limited  experi¬ 
ence  with  architects,  and 
they  considered  it  bad  ex¬ 
perience.  They  felt  that  EA 


established  boundaries  and 
added  cost  to  their  projects 
without  bringing  enough 
tangible  benefits. 

The  challenge,  therefore, 
was  to  foster  acceptance  of 
EA  concepts  and  to  build 
trust  among  co-workers, 
says  EA  team  manager 
Jeon  RezvanL  “We  looked 
for  key  players  in  logistics 
who  were  respected  that  we 
could  add  to  our  team,”  says 
RezvanL  “Communication, 
evangelization  and  con¬ 
stantly  taking  the  pulse  of 
the  rf  employees  gradually 
overcame  resistance.” 

Barretta  gave  certain 
EA  projects  lots  of  internal 
publicity.  One  such  project 
involved  an  SOA  approach 
to  the  logistics  management 
system  that  brought  a  new 
level  of  scq)histication,  auto¬ 
mation  and  process  control 
to  planning  and  optimizing 
truckload  volumes.  "We 
made  very  clear  the  role  the 
EA  team  had  in  putting  that 
in  place,”  Barretta  says. 

Representatives  from  each 
stak^lder  group  are  in¬ 
volved  in  architectural 
decision-making.  For  exam¬ 
ple,  members  of  the  virtual 
team  tasked  with  choosii^ 
which  business  intelligence 
tool  will  be  used  company¬ 
wide  are  led  by  an  EA  person, 
but  “they  pull  people  from 
different  qrplication  develop¬ 
ment  teams  to  get  their  in¬ 
put  on  pros  and  cons  of  each 
application,”  Barretta  says. 

“We  let  them  influence  . 
toad  maps,  and  we  made  tac¬ 
tical  compromises,”  llbbling 
says.  “We  understand  that 
th^  are  driven  by  deadlines, 
and  we  are  not  going  to  insist 
on  changes  that  would  un¬ 
reasonably  ig)set  those  dead¬ 
lines.  Inst^  we  try  to  make 
small  incremental  improve¬ 
ments  within  their  budgets.” 

As  important  as  winning 
over  the  IT  staff  is.  Tibbling 
Continued  on  page  48 
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Continued  fivmpage  46 
stresses  that  it’s  also  impoi^ 
tant  to  get  involved  in  stra¬ 
tegic  planning  with  business 
units.  For  instance,  the  lo¬ 
gistics  unit  has  asked  her  to 
sit  on  a  long-term  planning 
task  force  studying  trends 
in  transportation.  “This  is 
great  visibility.”  she  says.  “It 
shows  people  that  we’re  not 
just  IT  geeks  telling  them 
what  to  do.  We’re  actually 


engaged  with  the  business 
people  on  how  to  get  them 
where  they  want  to  go.” 

TRANSFOmiATION 

Michael  Kim  has  experienced 
the  development  of  an  EA 
team  at  The  Hartford  Finan¬ 
cial  Services  Group  Inc.  from 
both  sides.  As  a  divisional 
CIO  at  the  Hartford,  Conn.- 
based  insurance  giant,  he 
was  one  of  the  team’s  initial 
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customers.  But  after  a  recent 
promotion  to  chief  technol¬ 
ogy  officer  of  The  Hartford’s 
property-casualty  unit,  he  is 
now  responsible  for  the  EA 
team’s  performance. 

The  evolution  of  EA  at 
The  Hartford  is  part  of  a 
broader  transformation 
three  years  in  the  making, 
Kim  says.  After  taking  stock 
of  the  company’s  technology 
staffandprocesses,mead- 
ers  realized  they  lacked  dis¬ 
cipline  and  a  ftamework. 

“We  had  good  people  do¬ 
ing  architecture  work,  but 
they  were  embedded  within 
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MICHAEL  KIM,  CTO. 
PROPERTY-CASUALTY. 

THE  HARTFORD 

The  Hartford  recently 
created  an  architectural 
steering  committee  to  assign 
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Paul  M.  Ingevaldson 

No  More  Mr.  Nice  Guy 


IT  HAS  BEEN  my  experience  that  IT  professionals  will 
do  just  about  anything  to  please  the  user.  Regardless  of 
what  is  requested,  the  typical  IT  pro  says  yes.  But  what 
has  it  gotten  us?  We  are  being  outsourced,  oflfshored  and 
told  that  we  don’t  matter.  We  agree  to  a  major  enhancement  to 
a  system  during  development,  and  we  get  charged  with  miss¬ 
ing  budgets  and  deadlines.  We  agree  to  modify  an  outside 


It's  time  to  become 
more  professional  and 
take  our  place  in  the 
conqjany  hierarchy.  It’s 
time  to  stand  up  for  our 
principles.  It’s  time  to 
say  no. 

When  users  don’t  have 
time  to  tell  us  what  they 
really  waqt  in  their  new 
system,  we  should  say, 
“Na  You  can’t  have  the 
system  until  you  spend 
the  time  to  tell  us  what 
you  want” 

When  users  come  to  us 
during  the  development 
cycle  and  significantly 
change  the  specs  and 
expect  us  to  meet  all  the 
former  deadlines,  we 
should  say,  “No.  If  you 
want  these  changes,  we 
are  happy  to  put  them  in. 
but  we  are  also  going  to 
have  to  re-estimate  the 
project  and  develop  new 
timetables  and  costs.” 

When  users  ask  us  to 


customize  a  commercial 
software  package,  we 
should  say,  “No.  The  rea¬ 
son  we  bought  an  outside 
package  was  to  avoid 
the  downstream  mainte¬ 
nance  and  compatibility 
costs.  If  you  go  with  an 
outside  package,  you 
must  agree  to  conform  to 
its  processes,” 

When  a  user  depart¬ 
ment  asks  us  to  de¬ 
termine  the  return  on 
investment  and  then  sell 
the  project,  we  should 
say,  “Na  We  would  be 
happy  to  work  with  you 
on  the  process,  but  it’s 
up  to  you  to  calculate 
the  ROI  and  sell  it  to  the 

■  Reoardless  of 
what  IS  requested, 
thetypi^TTiiro 
s»syes.But 
whathasitaotten 
iid?WB  are  being 
outsourced,  off- 
snoTManoioiQ 
that  we  don't 


steering  committee.” 

When  a  user  depart¬ 
ment  complains  that  it 
didn’t  receive  the  expect¬ 
ed  benefits  of  a  project, 
we  should  say.  “Back 
off.  We  are  responsible 
for  developing  the  sys¬ 
tem  on  spec,  on  time 
and  on  budget.  You  are 
responsible  for  making 
the  changes  necessary  to 


tation  and  the  resulting 
benefits.” 

In  order  to  better  con¬ 
trol  our  fate  and  reputa¬ 
tion  within  our  compa¬ 
nies,  we  in  IT  must  begin 
to  act  the  same  way  other 
support  departments  do. 

No  construction  com¬ 
pany  would  erect  a  build¬ 
ing  without  an  agreement 
on  specs.  It  would  say  no. 

No  construction  com¬ 
pany  would  ever  make 
a  field  change  of  signifi¬ 
cance  without  having 
a  signed-off  change  or¬ 
der  in  the  files.  It  would 
say  no. 

No  construction  com¬ 


pany  would  be  expected 
to  justify  a  factory  that 
it  happens  to  be  building. 
If  asked  to  do  so,  it  would 
say  no. 

It  would  also  say  no 
if  its  contract  required 
it  to  be  responsible  to  at¬ 
tain  the  savings  that  were 
included  in  the  jusdfica- 

Now,  I  don’t  expect  IT 
pros  to  say  no  by  “just 
saying  na”  There  are 
ways  to  say  no  that  help 
everyone  understand 
the  roles  that  IT  and  the 
users  must  play  in  every 
development  cycle.  The 
ability  to  say  no  tactfully 
and  vrith  respect  is  a  ma¬ 
jor  skill  set  that  we  need 

I  believe  we  would 
all  be  surprised  at  the 
results  if  we  stood  up  ft)r 
these  principles  in  a  pro¬ 
fessional  manner. 

Every  profession  has 
rules  of  ccmduct  that 
ate  not  violated.  Many 
professions,  such  as  ac¬ 
counting.  have  organiza¬ 
tions  that  establish  the 
rules,  and  woe  to  the  per¬ 
son  who  violates  them. 
But  experience  shows 
that  as  soon  as  users  feel 
that  the  rules  can  be  ad¬ 
justed,  they  will  ask  us  to 
doit 

My  advice:  Just  say 


as  CIO  at  Ace  Hardware 
Corp.  in  2004  after  40  years 
in  the  IT  business.  Contact 
him  at  ingepi@aol.com. 
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KEEP  DOWNTIME  WHERE 

IT  BELONGS: 

OUTSIDE  THE  OFFICE. 

The  HP  ProLiant  DL380  G5  server  comes  with  Systems  Insigh- 
Manager  (SIM)  software.  HP  SIM  has  shown  an  average- 
reduction  in  server  downtime  of  77°z.  by  monitoring  your  sysiem. 
and  alerting  you  of  potential  server  problems  before  they  occ  ■' 
Technology  for  better  business  outcomes. 


Xeon 

Quad-core. 

Unmatched. 
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Get  the  full  story  in  the  IDC  whit 
or  call  1-866-545-0297 


hp.com/go/sim7 
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Improve 
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Boost  the  pertormance  of  | 
your  supply  chain  execution  | 
applications  with  LXE’s 
industrial  wireless  data- 
collection  solutions  including 
ultra-rugged  and  reliable 
wireless  computers,  mobile 
RFID  technologies,  and  wire¬ 
less  networking  products. 


►  For  your  FREE  white  paper,  “Key  Enablers  for  an 
Efficient  &  Optimized  Voice-Based  Warehouse,"  call 
1-800-664-4593,  email  infoOlxe.com,  or  visit 
www.lxe.comA;W.  _ 


Reach  Respected  IT  Leaders  in 

COMPUTERV^b“ 

Marketplace  Advertising  Section 

The  Computerworld  Mai  etplace  advertising  section  rsches  more  than 
1.8  million  IT  decision  r  tkers  every  week.  AAarketplatl  advertising  helps 
Computerworld  readersiblipy  pim,  UfailTI  lUI  Llllbest  values,  locate 
new  suppliers  and  find  new  pmllMngintHr  for  their  IT  needs. 
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The  In-Demand  Skills 


to  the  TV  game  show  IMio 
tVanIs  to  Be  a  MillionaiiB. 

"It's  the  power  of  the  network, 
the  power  of  the  lifeline  that  helps 
people  out,"  said  Muller,  presi¬ 
dent  and  CEO  of  The  Advisory 
Council,  a  Norwalk.  Conn.-based 
rr  research  and  advisory  service. 

But  lor  many  people,  there's  a 
delicate  line  between  network¬ 
ing  and  job  hunting.  Profession¬ 
als  who  mingle  with  their  peers 
10  find  new  positions  often  end 
jp  alienating  the  very  people 
hey're  counting  on  for  support, 
according  to  IT  executives  who 
spoke  recently  at  a  meeting  of 
Ihe  Fairfield  County.  Conn.,  and 
Westchester  County.  N.Y.,  chap¬ 
ter  of  the  Society  for  Information 
Management. 

'People  who  are  networking  to 
hnd  a  job  create  distance  [from 
Ihek  peers]  because  they're 
about  taking  and  wanting,  and 
networking  is  about  giving  and 
sharing.'saidJeffSkulsky,CIOat 


Sometimes,  soft-pedaling  can  be 
more  effective.  When  Rhona  Kannon 
transitioned  from  a  career  as  an  fT 
professional  into  the  IT  recruiting 
market,  she  reached  out  to  150  peo¬ 
ple  she  knew,  but  she  wasn't  pushy. 

■|  said.  'Hi,  how  are  you?  This  is  what 
I'm  doing  now,'  without  asking  them 
for  business '  said  Kannon.  a  partner 
at  The  Cambridge  Group  Ltd.,  a 
recniiter  in  Westport.  Conn.  Those 
contacts  responded  well  to  her  easy¬ 
going  approach,  explained  Kannon. 

build  her  recruiting  business. 

Networking  "is  about  approach¬ 
ing  people  on  their  terms”  without 
necessarily  expecting  something  in 
return,  said  Ed  Pospesil.  chairman  of 
the  Technology  Executives  Network¬ 
ing  Group,  a  Guilford.  Conn.-based 
network  of  3,600-plus  IT  execufives. 

H's  also  an  essential  tool  for  would- 
be  IT  executives,  he  said.  'The  peo¬ 
ple  who  network  are  those  who  make 
If  to  the  executive  ranks.'  Pospesil 
said.  'The  worker  bees  don't" 


IT  workers  kxiking  for  new  jobs  can  download  what  rr 
sanicescompanyTACWoifdwldeCos.cafeltieStartbul' 
toll  The  biitkiri  wfkch  can  reside  on  any  Windows  PC's 
desktop,  proirktasonoolickacitosstoTACSoirrce.  the 
conven/s  praprfetafy  database  of  more  lhai  10.000 
and  engine^  posWons.  If  you  use  It  and  Ire  it  you  I 
frflial  fhe  TAC  Start  button  to  jobseeMng  friends. 
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As  Hunter  Muller  sees  it  profes¬ 
sional  networking  is  analogaus 
totheTVgamesfiowlWio 


'H's  the  power  of  the  network, 
the  power  of  the  lifeline  that  helps 
people  out' said  Muller,  presi¬ 
dent  and  CEO  of  The  Advisory 
Council,  a  Norwalk.  Conn.-based 
IT  research  and  advisory  service. 

But  for  many  people,  there's  a 
delicate  line  between  network¬ 
ing  and  job  hunting.  Profession¬ 
als  who  mingle  with  their  peers 
to  hnd  new  positions  often  end 
up  alienating  the  very  people 
they're  counting  on  for  support 
acting  to  rr  executives  who 
spoke  recently  at  a  meeting  of 
the  Fairfield  County.  Conn.,  and 
Westchester  County.  N.Y..  chap¬ 
ter  of  the  Society  for  Information 


“People  who  are  networking  to 
fmd  a  1^  create  distance  [from 
thek  peers]  because  they're 
about  taking  and  wanting,  and 
networking  is  about  giving  and 
sharing.'saidJeffSkuisky.CIOal 


Regeneron  Pharmaceuticals  Inc.  In 
Tarrytown.  N.Y.  ‘If  you're  networking 
to  find  a  job.  it's  too  late.' he  added. 

Sometimes.  sofFpedaling  can  be 
more  effective.  When  Rhone  Kannon 
transitioned  from  a  career  as  an  IT 
professional  into  the  IT  recruiting 
market  she  reached  out  to  150  peo¬ 
ple  she  knew,  but  she  wasnT  piBhy. 

1  said. 'Hi.  how  are  you?  This  Is  wh^ 
I'm  doing  now.' without  asking  them 
for  business.' said  Kannon.  a  partner 
at  The  Cambridge  Group  Ltd.,  a 
recnriter  in  Westport.  Conn.  Those 
contacts  responded  wel  to  her  easy¬ 
going  approach,  explained  Kannon. 
and  she  credits  them  with  helping  to 
build  her  recniiting  business. 

Networking  “is  about  approach¬ 
ing  people  on  thek  terms' without 
necessanly  expectrng  something  In 
return,  said  Ed  Pospesa.  chairman  of 
the  Technology  Executives  Network¬ 
ing  Group,  a  Guilford.  Conn.-based 
network  of 3.600-plus  IT  executives. 

H'salsoanessentialtoolforvKiuld- 
be  rr  executives,  he  said.  The  peo¬ 
ple  who  network  ate  those  who  make 


said.  The  worker  bees  donY' 


Only  the 
good  stuff 
gets  through. 


This  is  Tech  Dispenser.  Unlike  bot-powered  blog  networks,  we  have  actual 
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Shai®nk 

TRUE  TALES  OF  IT  LIFE  AS  TOLD  TO  SHARKY 


bringsittotMilTpilallish 
tokndVPNwftwareoniL 
But  the  roacMne  conns  wHh 
Windows  WsUHonn.  and  the 
VPN  dsnt  software  rsfusss 


stal  H."  Ml  says.  “Tha  voica 
mal  I  recaivad  bade  1  don't 
awnknowwhatthatWin- 
dows  VMa  thing  is  anyway, 
so  you  have  my  pamdssion  to 
remova  it  from  my  laptop  so 
I  CM  get  tha  VPN  software; 
Yaah.0K.l1ldotfid.but 


-Teriodically.wa  sand  out 
ramhidars  to  the  users  to 
Chech  thair  parsond  informa¬ 
tion  and  update  it  if  necessary 


e-mail  with  the  standard  clos¬ 
ing  tailing  users  to  contact  mt 
if  they  have  any  difficulties  or 
queshons.  I  rscdvod  a  reply 


of  the  shitlHIoor  danbens.’ 
reports  a  pilot  fish  In  the 
know.  “Ha  tinn  returned  to 
his  ofhca  on  the  third  floor. 
The  nest  day.  fish's  group  was 
assigned  a  help  desk  thdnt 
reading: 'Fred  was  on  the 
sixth  floor  yoitsrdsy.  ind  ovor 
since  then,  the  malniraine  ter¬ 
minals  haw  not  bean  working 
property;  This  was  a  serious 
helpdesk  achat -ewn  though 
Frod  had  no  respondbilty  for 
or  access  to  Oia  rodnframes.’ 

Chickan  Soup  for 
The  Chioless  Soul 

POothshiscowringthehelp 
desk  at  this  small  cdlega 


■  FRANKLY  SPEAKING 

Frank  Hayes 

NoMoreOptimisin 


HOW  LONG  have  we  been  hearing  about  this  TJX 
mess?  It’s  hard  to  believe,  but  the  news  broke  last 
January:  Intruders  had  stolen  credit  card  transac¬ 
tion  data  about  customers  of  TJ.  Maxx,  Marshalls 
and  other  TJX  stores.  Back  then,  TJX  claimed  that  “a  limited 
number”  of  customers  were  affected.  “And  by  ‘limited’  we 
mean  substantially  less  than  millions,”  a  spokeswoman  said. 
T.agt  week,  we  got  a  harder  number  94  million  customers. 


How  could  TJX  have 
been  so  spectacularly 

One  word:  optimism. 

Oh  sure,  these  people 
might  just  be  lying  SOBs 
who  deliberately  covered 
up  the  awful  news.  But 
what  we  know  suggests 
they  really  were  con¬ 
cerned  —  just  chieless  as 
to  how  bad  it  could  get. 

Consider  this:  Back 
in  January,  TJX  tbou^t 
the  breach  came  in  mid- 
May  2006.  But  within 
weeks,  an  investigation 
by  IBM  and  General 
Dynamics  found  that  the 
fimt  intrusion  had  hap¬ 
pened  almost  a  year  ear¬ 
lier,  in  July  2005  -  not 
seven  but  17  months  be¬ 
fore  it  was  discovered. 

In  January,  TJX  said 
the  number  of  customers 
affected  was  under  a  mil¬ 
lion.  But  the  New  Hamp¬ 
shire  Bankers  Associa¬ 
tion,  which  represents 
banks  that  issue  credit 
cards  in  that  state,  esti¬ 
mated  that  up  to  4  mil¬ 
lion  people  were  affected 
just  in  New  England. 


By  March,  TJX’s  es¬ 
timate  had  ballooned 
to  45.6  million  credit 
accounts  in  filings  with 
the  U.S.  Securities  and 
Exchange  Commission. 
The  company  is  still  of¬ 
ficially  sticki^  with  that 
numb^.  But  in  court  fil¬ 
ings  last  week,  a  group  of 
banks  said  that  94  million 
separate  credit  and  debit 
card  accounts  were  af¬ 
fected  —  65  million  Visa 
accounts  and  29  million 
MasterCard  accounts. 

That’s  100  times  TJX’s 
first  estimate,  and  so 
astonishingly  out  of 
whack  with  the  original 
statement  that  if  it  was 
an  intentional  lie,  it  was 
doomed  to  be  unbeliev¬ 
able  from  the  start. 

But  optimism?  Yeah, 
we  can  believe  that. 

After  all,  IT  people 
know  how  seductively 


attitiidtf?Sure. 

A  IIOIIMnB*CcHr 

Igj^Mfong  vMfvv? 


dangerous  optimism  can 
be.  It’s  the  reason  we 
routinely  overrun  project 
budgets  and  timelines. 

It’s  why  user  training 
always  takes  longer  and 
is  less  effective  than  we 
expect  it  to  be.  It’s  the 
root  cause  of  most  of  our 
software  problems  and 
hardware  headaches. 

We  underestimate 
what  can  go  wrong.  And 
when  it  does,  we’re  not 
prepared.  In  fact,  we’re 
bUndsided. 

And  when  it  comes 
to  security,  optimism 
is  deadly.  It  means  we 
underestimate  the  risks 
before  a  breach  and  un¬ 
derestimate  the  damage 
once  it  happens. 

Unfortunately,  opti¬ 
mism  is  popular  with 
management,  especially 
at  the  top.  Short  sched¬ 
ules,  lowball  budgets  and 
rosy  security  outlooks 
are  what  they  want  to 
hear.  Realistic  assess¬ 
ments  of  time,  cost  and 
risk?  That’s  the  stuff  that 
gets  the  messenger  shot. 

But  that’s  what  we 


have  to  deiiver. 

How?WithaUttle 
sugarcoating,  maybe.  Or 
backed  by  lots  of  statisti¬ 
cal  detail  Or  with  down¬ 
side  exaiiq)les  based  on 
experience  —  our  own  or 
our  competitors’. 

Exactly  bow  to  rein  in 
that  desire  for  optimism 
depends  on  company  cul¬ 
ture  and  politics.  But  it 
has  to  be  done. 

And  the  first  step  is 
getting  rid  of  unrealistic 
optimism  throughout 
the  IT  shop.  We  have  to 
recognize  that  problems, 
time  bombs  and  dead 
ends  exist,  so  we  can  find 
them  and  deal  with  them. 

That  doesn’t  mean 
gloom  and  doom  should 
rule  IT  —  just  a  healthy 
skepticism  about  how 
smoothly  things  will  go, 
along  with  a  sharp  eye 
for  worst-case  scenarios. 

A  can-do  attitude? 
Sure.  A  nothing-can-go- 
wrong  view?  Never. 

As  for  TJX,  for  all 
the  trouble  optimism 
has  caused  through  the 
course  of  this  security  fi¬ 
asco,  maybe  this  isn’t  the 
time  to  abandon  those 
rose-colored  glasses. 

With  the  FTC,  Cana¬ 
dian  privacy  regulators, 
state  officials  and  94  mil¬ 
lion  customers  breathing 
down  its  neck,  TJX  had 
better  hope  things  just 
don’t  get  any  worse.* 
Rank  ItaVM  is  Computer- 
world’s  senior  news 
columnist  Contact  him 
atfrank_hayes@ 
computerwortd.com. 
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